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Abstract — Reconciliation is an essential part of any secret-key 
agreement protocol and hence of a Quantum Key Distribution 
(QKD) protocol, where two legitimate parties are given correlated 
data and want to agree on a common string in the presence of an 
adversary, while revealing a minimum amount of information. 

In this paper, we show that for discrete-variable QKD pro- 
tocols, this problem can be advantageously solved with Low 
Density Parity Check (LDPC) codes optimized for the BSC. In 
particular, we demonstrate that our method leads to a significant 
improvement of the achievable secret key rate, with respect to 
earlier interactive reconciliation methods used in QKD. 



I. Introduction 

In a QKD protocol fll, two legitimate parties, Alice and 
Bob, aim at sharing an information theoretic secret key, even 
in the presence of an eavesdropper Eve. In the quantum part of 
such a protocol, Alice and Bob exchange quantum signals, e.g. 
single photons, which carry classical information. For instance, 
AUce encodes a classical bit onto the polarization or the phase 
of a photon and sends this photon to Bob who measures it. 
After repeating this step n times, Alice and Bob share two 
n— bit strings, X and Y. Eve has access to a random variable 
Z, possibly correlated to X and Y. 

In any realistic implementation of a QKD protocol, X and 
Y suffer discrepancies mainly due to losses in the channel 
and noise in Bob's detectors but which are conservatively 
attributed to the action of an eavesdropper. Therefore, any 
QKD protocol must include a classical post-processing step 
in order to extract a secret key from the correlated strings 
X and Y. This is done thanks to classical communication 
over a noiseless, authenticated but otherwise insecure channel. 
This secret key agreement is itself split in two parts. First, 
Alice and Bob correct the errors between their strings: this 
is the so-called reconciliation phase which concerns us here. 
Then, in the privacy amplification phase [21, Alice and Bob 
apply a randomly chosen compression function to their mutual 
string. If the compression function is well chosen, the result 
is uncorrelated with Z and constitutes a secret key. 

The theoretical secret capacity K± is given by: 



K\h = H{X\Z)-H{X\Y). 



(1) 



(Shannon) entropy of X given Y. 

This secret capacity is actually theoretical and is achieved 
only in the case of a perfect reconciliation scheme. In partic- 
ular, the term H{X\Y) corresponds to the minimum amount 
of classical information that Alice needs to send to Bob to 
help him correct his string Y. In a realistic implementation, 
the actual secret key rate A'reai is given by: 



K,,,,^H{X\Z)- fH{X\Y), 



(2) 



where / is a parameter greater than 1 that characterizes the 
reconciliation efficiency. 

The main effect of an imperfect reconciliation is clearly 
a reduction of the secret key rate, which in turn, limits the 
range of the QKD protocol. This is the reason why the 
reconciliation should be as efficient as possible. However, 
one should keep in mind two other important factors when 
evaluating a reconciliation scheme: its complexity and its 
rapidity. This last criterium is especially relevant in the case 
of highly interactive schemes where latency can become an 
issue. 

In most QKD protocols, the information is encoded on 
binary variables. This is the case we will consider here. Errors 
are usually uncorrelated and symmetric. For this reason, X and 
Y can be seen, respectively, as the input and the output of a 
binary symmetric channel (BSC). In a typical implementation 
of a QKD protocol, Alice and Bob have access to the channel 
characteristics. In particular, the crossover probability p of the 
BSC is supposed known. 

To fix ideas, let us consider the most emblematic QKD 
protocol: BB84 Q. For this protocol, the different condi- 
tional entropies can be easily expressed as a function of p: 
H{X\Z) = 1 - h{p) and H{X\Y) = h{p) where h{p) = 
— plog2p— {1—p) log2(l —p) is the binary entropy function. 
This leads to: 



1 - (1 + .f{p))h{p). 



(3) 



The precise definition of H{X\Z) depends on the type of 
attack considered, whereas H{X\Y) represents the conditional 



In the following, we will use this expression to compare the ef- 
ficiencies of different reconciliation schemes. One should note 
that even with a perfect reconciliation scheme, the maximum 
bit error rate admissible to distribute a secret is 11%. Typical 
implementations have an error rate between 3 and 10 %. This 
is this range of parameter that interests us here. 
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The rest of the paper is organised as follows: in section HH 
we review the Cascade protocol which is currently the solution 
adopted in most implementations. In section |III1 we present 
an optimization technique of LDPC codes for the BSC. The 
respective performances of Cascade and our LDPC codes are 
then discussed in section |IV] 

II. Previous Work 
A. The Cascade protocol 

Cascade was proposed by Brassard and Salvail in their 
seminal paper "Secret key reconciliation by public discussion" 
m as an alternative to error correcting codes because at the 
time their complexity was too high to be used in practice 
ifSl . Cascade takes benefit from the interaction between Alice 
and Bob over an authenticated public channel to simplify 
the problem of reconciliation. It can be described by a very 
compact and elegant algorithm. 

The Cascade protocol is run iteratively a given number 
of passes, this number being determined as a function of 
the estimated probability of error This error estimation is 
conducted prior to beginning the protocol, on a statistically 
significant random sample of Alice and Bob's data. In each 
pass i, Alice and Bob agree on a random permutation ai which 
they apply to their strings; X"^ = <Ji{X) and = cFi{Y). 
Then they divide their permutated strings into blocks of ki bits. 
After each pass the block size will be doubled: ki = 2fc,;_i. 
The value of the initial block size fci is a critical parameter 
An empirical result in lO indicates that an optimal value is 
ki « 0.73/e, e being the estimated error probability. 

For each block j Alice sends its parity Xj to Bob while 
Bob computes yj, the parity of its block, sends it to Alice, 
and compares it with Xj. If yj ^ Xj Alice and Bob perform 
a binary search to find and correct an error in position p. The 
binary search consists in splitting the block j into two halves, 
and then calculate and exchange the parity of one half. If both 
parities do not agree, Alice and Bob continue the binary search 
with the same half, if they agree they continue with the other 
half. 

The position p where an error has been found belonged to 
different blocks in the preceding passes. Let C be the set of 
such blocks with an odd number of errors. Alice and Bob can 
now choose the smallest block in C and perform a binary 
search to find and correct another error. This new error will 
imply adding or removing blocks from C. This process is 
performed until C is emptied. 

It should be noted that Cascade is highly interactive even 
when carefully implemented. Since many exchanges between 
Alice and Bob are required to reconcile a string, the time 
overhead for these communications can severely limit the 
achievable key generation rate. This could for instance be the 
case in free space QKD implemented between a satellite and a 
base station and even more when the communication between 
Alice and Bob is performed over a network connection with 
a high latency. 

Despite this limitation. Cascade is certainly the most widely 
used reconciliation protocol in practical discrete variables 
QKD setups. One of its interests is its relative simplicity 



and the fact that it performs reasonably well in terms of 
efficiency. As we shall see, most of the alternative solutions 
developed after Cascade have focused on reducing the level of 
interactivity, usually at the expense of reconciliation efficiency. 
This is the reason why we have used Cascade as the essential 
element of comparison with the solution we have designed, 
that has the double advantage of being non-interactive and of 
performing better that Cascade in terms of efficiency over a 
wide parameter range. 

B. Other work on information reconciliation protocols 

Many variations around the principle of interactive recon- 
ciliation used in Cascade have been proposed, in order to 
limit the interactivity. Relevant work on the optimization of 
the block lengths has been done in lO, and allows to limit 
the number of rounds in the regime of very low error rate. 
Among the most notable works, we can also cite the Winnow 
protocollTj. Like Cascade, Winnow splits the binary strings 
to be reconciled into blocks but instead of correcting errors 
by iterative binary search, the error correction is based on 
the Hamming code. Winnow's interest lies in the reduction of 
the amount of required communication to three messages per 
iteration fSl. Winnow is thus significantly faster that Cascade 
but unfortunately, its efficiency is lower for error rates below 
10 %, i.e. in the parameter range useful for practical QKD. 
Another interesting development has been conducted by Liu||9l 
who has proposed a protocol that optimizes the information 
exchanged per corrected bit. Liu's protocol is in essence very 
similar to Cascade. Its objective is to minimize the information 
sent on the public channel to correct one error during a pass 
and leads to better efficiency. This protocol however remains 
highly interactive. 

Some QKD protocols provide Alice and Bob with corre- 
lated continuous random variables and specific work on key 
reconciliation has been conducted in this context, beginning 
with the work on Sliced Error Correction 1101 used to convert 
continuous variables into binary strings. It is also mainly in the 
context of continuous variables that modern coding techniques 
have been used within information reconciliation protocols; 
turbo codes in ID and LDPC codes in HI, ifTH . 

In contrast with continous-variable information reconcil- 
iation, not much has been done to adapt modern coding 
techniques to the discrete case. Forward error correction has 
the advantage of being very well known and even attaining 
the Shannon limit for some channels. Also, and of great 
importance for QKD, it requires a single message, namely 
the syndrome of X for the code being used, to correct the 
discrepancies. Relevant references are BBN Niagara ifTsll and 
the work for free space QKD by Duligall et al. lfT4l both 
of which use LDPC codes. However ifTSll provides a single 
point comparing the performance of LDPC codes and Cascade, 
showing a major decrease of the communication overhead but 
a slightly decrease in the efficiency while |f l4| does not provide 
any information on the results of their use of LDPC codes. 

III. Optimization of LDPC codes for the BSC 

LDPC codes also known as Gallager codes are linear codes 
that have a sparse parity check matrix, that is with relatively 
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TABLE I 

Thresholds and degree distributions found for a representative set of rates 



Code rate 
0.90 


Threshold 
0.0109 


X{x) 
p[x) 


& p{x) 

= 0.07689a: + 
= 0.95025x49 


0.28096x2 + 0.08933x4 _ 
+ 0.04975x50 


1-0.19620x8 4 


-0.30631x" 


+ 0.05031x20 






0.85 


0.0199 


X(x) 
p{x) 


= 0.04528a; + 
— u.o^zu^x 


0.20537x2 + 0.05878x3 _ 

-|- u.^y^o / yoj- 


1- 0.094274x4 


+ 0.08454x5 


+ 0.01176x^ - 


f 0.05137x8 + 


0.50015x20 


0.80 


0.0298 


X(x) 
p{x) 


= 0.09420a; + 
= 0.58807x28 


0.18088x2 +0.11972x5 - 
+ 0.4119329 


1- 0.08550x'5 4 


-0.09816x'^ 4 


- 0.07194xi"5 - 


h 0.34960x25 




0.75 


0.0392 


X{x) 
p[x) 


= 0.10805a; + 
= 0.74161x24 


0.09511x2 _,_ 0.01449x3 - 
+ 0.2583925 


1-0.13764x4 -( 


-0.10667x5 4 


- 0.05288x0 + 


0.01107x2'' + 


0.47408x30 


0.70 


0.0504 


X(x) 


= 0.05343a; + 


0.29406x2 + 0.00896x5 _ 


1-0.15571x8 -( 


-0.12189x" 


+ 0.19872x24 


+ 0.09572x45 


+ 0.02741x01 



+0.04056x04 + 0.00354x''2 
p(x) = 0.76922x19 + 0.2307720 

0.65 0.0633 A{x) = 0.10451x + 0.15652x2 + 0.08057x3 _,_ 0.00056x4 ^ 0.12151x8 + 0.10485x^2 + 0.10719x^4 + 0.00771x20 

+0.31656x50 

p(x) = 0.000578X + 0.06089x14 ^ o.47001xi5 + 0.46852x20 

0.60 0.0766 A{x) = 0.11040x + 0.20804x2 + 0.14163x7 + 0.14858x8 + 0.14438x25 + 0.08909x26 + 0.00748x45 + 0.15038x''0 

p(x) = 0.00036X + 0.13063x9 + 0.31068x12 + 0.49341x1'' + 0.064915x18 

0.55 0.0904 A{x) = 0.16880x + 0.20994x2 + 0.18095x5 + 0.03846x14 + 0.02635x15 + 0.23454x1^ + 0.05815x18 + .08280x30 

p(x) = 0.27631x9 + 0.7236910 

0.50 0.1071 A{x) = 0.14438X + 0.19026x2 + 0.01836x3 + 0.00233x4 + 0.04697x5 + 0.053943x'' + 0.05590x8 ^ 0.01290x9 

+0.00162x10 + 0.06159x13 + 0.13115x14 + 0.01481x1^ + 0.00879x40 + 0.00650x48 + 0.00210x54 + 0.00099x55 
+0.11178x50 + 0.06238x57 + 0.05094x58 ^ 0.02230x05 
p(x) = 0.47575x9 + 0.46847x11 + 0.02952x12 + 0.02626x13 



few non zero values. 

Their main advantage is that they can perform very close 
to Shannon limit, even with a suboptimal but fast, iterative 
decoding scheme. 

In the case of reconciliation of binary strings, and hence for 
application to discrete-variable QKD, LDPC codes need to be 
specifically optimized for the BSC. 

The LDPC code design optimization problem can be effi- 
ciently addressed with a genetic algorithm; Differential Evo- 
lution (DE) flSl . In particular, this solution was successfully 
appUed for the BEC in fTU and for the BIAWGN channel in 

uni. 

DE is an Evolutionary Optimization Algorithm, it maintains 
a population of N D— dimensional vectors (code candidates) 
of real parameters respecting some constraints. This population 
evolves for a fixed number of generations or until a vector 
is found which meets a stopping criterion. The population is 
initialized to cover as much as possible of the parameter space. 
For each generation, DE mutates and recombines the current 
population to produce a trial population. Mutation is performed 
by adding the weighted difference of two population vectors 
to a third one. 

Recombination is used to increase the diversity of the trial 
population: trial vectors are modified incorporating a small set 
of parameter values from a current population vector A trial 
vector is incorporated into the current population if a cost 
function assigns to it a lower cost value than the cost value of 
the preceding vector, otherwise it is discarded. 

LDPC codes can be represented as bipartite graphs ifTsl . 
One set of nodes, the check nodes, represents the set of parity- 



check equations which define the code; the other, the variable 
nodes, represents the elements of the codewords. A check 
(variable) node in the graph is called of degree i if it is 
connected to i variable (check) nodes. We denote by (p;) 
the fraction of edges which are connected to bit (check) nodes 
of degree i. Let L be the maximum variable degree and R 
the maximum check degree, we define an ensemble of LDPC 
codes by the generating functions A(a;) and p{x). 



Xix) 
p{x) 



2Zi=2 P^^ 



< Ai < 1 



< < 1 



(4) 



We can express the code rate as a function of the coefficients 

of A(a;) and p{x): 



Rate = 1 



(5) 



The functions A(a;) and p{x) have L + R — 2 non zero co- 
efficients. However not all these coefficients are independent: 
A(a;) and p{x) define degree distributions and must therefore 
be normalized, and we want all codes to be of the same rate 
in order to compare their thresholds. 

In particular, to ensure that A(a;) and p{x) define a degree 
distribution we fix the coefficients corresponding to variable 
and check nodes of degree 2: 



A2 = 1-^A„ 



i=3 



P2^i-^Pi 

i=3 



(6) 
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We can set the code rate using a third coefficient, we use 
Al- From ^ and (|6]l, one gets: 

, ^ + E^L3P.(i-^)-/3Et3^A.(i-i) 

M^) 

where (3=1— Rate. 

These three constraints leave a final number of D = L + 
R—5 parameters each one associated with one of the non fixed 
coefficients of X{x) and p{x). Finally we require the codes to 
be stable for crossover probabilities p below their threshold, 
the stability condition for the BSC channel being given by 

uni: 



2E.(*-l)p.v/p(l-rt 
We have used discretized density evolution algorithm lfT9l 
to compute the cost function and evaluate the candidate codes. 
This algorithm calculates a threshold value for a random 
LDPC code with a fixed node and degree distribution. The 
threshold determines the limit of the error-free region asymp- 
totically as the block length tends to infinity. Discretized 
density evolution guarantees that the predicted threshold is a 
lower bound of the real threshold. 

The results we have obtained with this set of constraints are 
shown in Table U For all rates the thresholds are very close 
to the Shannon limit. These thresholds are only achievable by 
infinite length codes, but experimental results obtained with 
finite length codes were not very different (see section ITV-AI ). 
This is indeed not too surprising since the relevant length of 
codes we have used is quite large (10^), adapted to the typical 
requirements of QKD where large blocks of data have to be 
processed together to minimize finite size effects 1201 . 

IV. Experimental Results 

In this section we discuss the experimental performances 
of Cascade and of our LDPC codes for block length of 10^. 
We have implemented Cascade as described in jSl and our 
LDPC codes are decoded with the belief propagation algorithm 
ET\ . The remaining bit error probability is below 1.5 • 10"^ 
and the remaining errors can be handled very efficiently by 
concatenation with a BCH code of very high rate (typically 
0.998 El). 

A. Reconciliation Efficiency 

As explained in Section |T] the performance of a reconcilia- 
tion protocol can be evaluated by measuring the amount of 
information disclosed in this process. For the BSC with a 
crossover probability p, an ideal reconciliation protocol would 
reveal a fraction h{p) while a real protocol reveals f{p)h{p). 
We have represented the reconciliation efficiency f{p) on Fig. 
[T] for Cascade and for our codes. The results that we have 
found with Cascade are very similar to those of Crepeau |5] 
or Brassard and Salvail JU: Cascade performs well at low bit 
error rates where its efficiency differs only by 10% from the 
Shannon limit of 1. However, its efficiency decreases gradually 
as the crossover probabihty increases. 



A quick observation reveals that, in contrast with Cascade, 
the reconciliation efficiency f{p) exhibits a saw behavior when 
our set of LDPC codes is used. The reason for this is that we 
have chosen a discrete number of codes. As each code has a 
certain threshold, a string with a measured error probability p 
will be corrected with the code having the smallest threshold 
greater than p. The saw effect will be reduced as the number 
of LDPC codes used is increased. To illustrate this fact, we 
have also included in FiglUthe smooth curve which would be 
the result of using an infinite number of LDPC codes. 

As we can see on this figure, optimized LDPC codes can 
perform better than Cascade as soon as the error rate is above 
2%. With our set of 9 LDPC codes, the performances are 
always better than Cascade when the error rate is above 5%. 
This gain of performance can significantly impact on the 
achievable secret key generation rate in practical QKD. 
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Cascade (n= 100000) 
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1.1 
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(p) Crossover Probability 

Fig. L Reconciliation Efficiency f(p) achieved by LDPC codes and Cascade. 
(1) Using our set of 9 LDPC codes described in Table|l](2) Extrapolated curve 
of f(p) for an infinite number of LDPC codes. 



B. Secret Key Rate and Local Randomization 

As it appears from Eq. Q, the measure of the reconciliation 
efficiency f{p) can be translated into a value of the achievable 
secret key rate Kreai{p), value that is indeed the true figure 
of merit for a practical QKD system. 

In order to mitigate the saw effect produced by using a 
LDPC code non-adapted to the error-rate of the BSC, we 
have studied the impact of a possible improvement that can 
easily be implemented in practice: local randomization 123)1 . 
The idea is to make use of the LDPC codes in a error rate 
region close to their threshold, where their efficiency /(p) 
is better. To achieve that in practice we use our freedom 
to worsen the error rate before performing the information 
reconciliation, by performing a local randomization on X, the 
string held by Alice. When the error rate p is in the range 
p G {a,b) corresponding to the region of use of a given 
LDPC code of threshold b, we worsen the error rate from 
p to b. To do that, Alice can flip each of her bits with a 
probability e. In order to have final error rate of b we must take 
e = ■ From the point of view of Alice and Bob, the chain 
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X is replaced by a chain X and the practical reconciliation 
reveals a fraction fH{X \Y) = f{b) h{b). From the point 
of view of Eve, the effect of local randomization is however 
worse: Eve holds Z, a noisy version of Alice's chain with 
H{X\Z) = 1 - h{p) ~ h{q). Alice then flips each of her bits 
with probability e and the effective error probability for Eve 
is e(l — g) + (1 — e}q = q + e — 2eq. Applying Eq. ([TJ with 
X replacing X leads to: 

KiAp) = h{q + e - 2eq) - f{b) h{b) (9) 

The comparison of what can be achieved using either Cas- 
cade or our LDPC codes is displayed on Fig.|2] The advantage 
of our reconciliation protocol can be well understood by 
considering the maximal admissible bit error rate. While it 
is less than 9.5 % with Cascade, it becomes very close the 
theoretical limit of 11 % with our protocol. This implies in 
practice that the maximum distance at which practical secure 
secret key distribution is possible will be extended when using 
our reconciliation protocol. 




(p) Crossover Probability 

Fig. 2. Secret Key Rate for Cascade and LDPC codes. (1) Theoretical limit, 
(2) LDPC codes witli local randomization , (3) LDPC codes without local 
randomization , (4) Cascade (n= 100000) 

V. Conclusion 

We have shown that LDPC codes can be used to reconcile 
two correlated discrete random variables. The results show 
that LDPC codes are a good alternative to Cascade. In terms 
of reconciliation efficacity they offer a similar behaviour for 
small crossover probabilities and a significant improvement 
for the crossover probabilities over 0.02. In terms of the 
interactivity LDPC codes need a single information exchange 
to reconcile the two variables while Cascade is very greedy in 
communication resources. 

LDPC codes have been optimized for the BSC with thresh- 
olds near the channel capacity. This result can have a prac- 
tical impact on the performance of QKD systems but also 
find a broader range of application to other scenarios where 
information-theoretic secret key agreement can be performed, 
such as the wiretap channel 1241 or Maurer's satellite scenario 

m. 
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